DoD's new plan promises speedy approval of commercial mobile devices

Jared Serbu, DoD reporter, Federal News Radio

The Defense Department says it has a solid plan to use the current generation of commercially-available mobile devices on military networks and, just as importantly, to issue security approvals for those devices in a way that roughly matches up with the pace of the commercial marketplace.

The Pentagon's path forward comes in the form of a commercial mobile device implementation plan, approved by Teri Takai, the DoD chief information officer, earlier this month and released to the public Tuesday. It lays out specific timelines for building a new device management architecture to support iPhone, Android and other off-the-shelf mobile devices on both classified and classified Defense networks. It also includes getting those devices past what have proved to be extremely high hurdles for approval based on the military's bureaucratic process for issuing cybersecurity blessings.

DoD's mobile strategy until recently could be summed up mostly with one word: BlackBerry. Out of the 600,000 mobile devices on military networks today, almost 500,000 were made by the company formerly known as RIM. Many of the rest are iOS and Android devices being operated in test projects by the military services.

But the time has come to begin turning those various pilot projects into a coherent, DoDwide mobile infrastructure, said Maj. Gen. Robert Wheeler, DoD's deputy chief information officer for command, control, communications, computers and information infrastructure.

"We're trying to take all the mobility spirals that we have out there today and find the best solution overall. They will slowly grow to that," he said. "At some point in the future — and that point will vary by the service — they will become part of the enterprise. The services have signed up to that."

Path forward already under development

The Defense Information Systems Agency will play a lead role in implementing the plan. The strategy largely is an articulation of the work DISA and the National Security Agency already have been doing in laying the groundwork for service members to use commercial devices.

DISA already has released requests for proposals to industry to create an enterprise-level app store and mobile device management system for DoD. Those awards are expected later this year. And the NSA has been working on ways to use off-the-shelf commercial devices on the military and intelligence community's classified networks.

The plan the Pentagon released Tuesday calls for the devices to be capable of data and voice communication up to the top secret level by September, and both the classified and unclassified communications will be carried over the existing networks of commercial wireless carriers.

"The biggest difference between the classified and unclassified networks is that we'll have a second layer of encryption on the classified network-commercial encryption, not Type 1 encryption-on the classified device," said John Hickey, the mobility program manager for DISA. "It lets us leverage what technology's already out there in the commercial space."

Another key change in the plan is a significant overhaul to the way DoD reviews technology to make sure it's safe for military networks.

No more traditional STIGs

The traditional process, using what are known as Security Technical Implementation Guides (STIGs), involves DISA security pros scouring through, for example, a new release of the Windows operating system, in order to decide which features need to be turned off, which settings need to be changed, and which patches need to be applied.

Besides BlackBerrys, DISA has only been able to put one mobile device through those painstaking paces, and by the time the STIG was approved, the manufacturer, Dell, had already retired the device from its lineup.

"In the mobile space, that model doesn't work just because of the pure speed at which devices come into the market," Hickey said.

So DISA has decided to get out of the business of poking through devices one-at-a-time to determine how to make them comply with DoD requirements. Instead, it's begun publishing what it terms Security Requirements Guides: a set of standards that each device or application must comply with. It's then up to device manufacturers or software programmers to present their own STIGs to DISA, whose only job will be to validate them after-the-fact.

In the new process, DoD says it will be entirely device-agnostic and operating system-agnostic, and it's aiming to add new devices to its approved products list in a turnaround time of no more than 90 days.

"And I would tell you 90 days is the far end," Hickey said. "We need to get closer to 30 days, and that's our goal. The concept now is, 'Here's our requirements. Bring us a STIG and we'll review it very, very quickly.' We've gotten very positive feedback from industry on that, from mobile operating system makers as well as people in the mobile device management and application arena."